From:             [EMAIL PROTECTED]
Operating system: Linux
PHP version:      4.0.4pl1
PHP Bug Type:     Feature/Change Request
Bug description:  Selectable option for PHP_AUTH_PW

I am currently running Apache-1.3.17 with php-4.0.4pl1 . It appears that when I am 
using Apache's own mod_auth with .htaccess and .htpasswd authentication, PHP will 
store the password from Apache into the PHP_AUTH_PW variables.

Thou it is useful somethings, it also creates a security problem in the following 

access to is limited to users who each have their own unique 
username/password. is developed and maintained by groupA is developed and maintained by groupB

Any malicious developer in groupA or B will be able to silently steal the user's 
password when they access either apps1 or apps2 without the user knowing by just 
saving the values found in PHP_AUTH_USER and PHP_AUTH_PW .

The malicious developer can then use the saved password to assume the identity of the 
original user and access the website to perform functions without the original user 

Hence I am wondering if it will be possible to have a configuration directive that can 
select whether PHP_AUTH_PW will store the external password when external 
authentication modules like mod_auth are used.

Edit Bug report at:

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to